FS#62219 - [libvirt] usr/lib/firewalld/zones/libvirt.xml seems to be invalid

Attached to Project: Community Packages
Opened by Leon Möller (jkhsjdhjs) - Tuesday, 02 April 2019, 21:59 GMT
Last edited by freswa (frederik) - Wednesday, 06 May 2020, 17:10 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Christian Rebischke (Shibumi)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:
The file usr/lib/firewalld/zones/libvirt.xml added with package version 5.1.0-1 seems to be invalid.
firewalld errors when attempting to parse it:
firewalld[554]: ERROR: Failed to load zone file '/usr/lib/firewalld/zones/libvirt.xml': PARSE_ERROR: rule: Unexpected attribute priority.

Downgrading fixes the issue as libvirt 5.0.0-1 doesn't contain the file.

Steps to reproduce:
Install the latest version of libvirt and firewalld.
Start firewalld: systemctl start firewalld
Check the firewalld logs: systemctl status firewalld
This task depends upon

Closed by  freswa (frederik)
Wednesday, 06 May 2020, 17:10 GMT
Reason for closing:  Fixed
Additional comments about closing:  libvirt 5.3.0-1
Comment by loqs (loqs) - Tuesday, 02 April 2019, 22:58 GMT
https://bugzilla.redhat.com/show_bug.cgi?id=1692188
https://github.com/libvirt/libvirt/commit/3b71f2e42dc6c5453d09136578bfb868874da088
https://github.com/libvirt/libvirt/commit/ae05211a360077f56883cd0a6c0f82ed57f746cb
Edit:
See also https://wiki.archlinux.org/index.php?title=Libvirt&type=revision&diff=557409&oldid=528864 although the note attributes it to a change in libvirt not firewalld gaining nftables support.
Comment by Toolybird (Toolybird) - Thursday, 11 April 2019, 22:14 GMT
https://www.redhat.com/archives/libvir-list/2019-April/msg00815.html

More confirmation as per @loqs first link that Arch should build libvirt with:

--without-firewalld-zone

(at least until there is a new firewalld release).
Comment by Christian Rebischke (Shibumi) - Thursday, 30 May 2019, 01:39 GMT
is this still an issue? can you confirm?
Comment by Nico (nicovell3) - Thursday, 30 May 2019, 08:46 GMT
I've updated to the last versions available (community/firewalld 0.6.4-1, community/libvirt 5.3.0-1) and the problem persists.

When I try to start firewalld, the following error keeps showing:
ERROR: Failed to load zone file '/usr/lib/firewalld/zones/libvirt.xml': PARSE_ERROR: rule: Unexpected attribute priority

To temporary solve it, I opened /usr/lib/firewalld/zones/libvirt.xml and commented out the lines "<rule priority='32767'><reject/></rule>". Now firewalld service starts and the libvirtd zone is created.
Comment by Leon Möller (jkhsjdhjs) - Tuesday, 11 February 2020, 21:50 GMT
  • Field changed: Percent Complete (100% → 0%)
The implemented solution doesn't work, because the rule consists of multiple lines.
To comment out the lines the following sed command can be used: "/<rule priority='32767'>/,/<\/rule>/ s/^/#/"
The first part selects the lines and the second part inserts a # at the beginning of each line.
Comment by freswa (frederik) - Tuesday, 11 February 2020, 21:51 GMT
Does this persist with the latest package?
Comment by Leon Möller (jkhsjdhjs) - Tuesday, 11 February 2020, 22:44 GMT
Thanks for reopening, that's not an issue anymore since the firewalld package now supports rule priorities.
Line 170 of the PKGBUILD can be removed btw, it was supposed to fix this issue and isn't necessary anymore.
Comment by loqs (loqs) - Wednesday, 12 February 2020, 00:37 GMT
Changes to PKGBUILD included in PKGBUILD.diff:
* Drop the rule adjustment that is no longer need.
* Add firewalld as a makedepend in case autodetection starts expecting it to be present in order to enable the config options --with_firewalld and --with_firewalld_zone.
* Add firewalld as a optdepend to indicate it provides firewall support.

This would also close  FS#64803  and  FS#62219 
   PKGBUILD.diff (1.4 KiB)
Comment by Toolybird (Toolybird) - Wednesday, 12 February 2020, 04:22 GMT
> Add firewalld as a makedepend in case autodetection starts expecting it to be present

Hey @loqs, this bit is unnecessary IMHO. "in case" is not a good reason.

The firewalld part of the configure script is only processing the `--with*' args, not looking for anything external (apart from dbus).

configure: firewalld: yes (CFLAGS='' LIBS='')
configure: firewalld-zone: yes

(that's with no firewalld installed)

The libvirt PKGBUILD is already a bit crufty so let's not make it worse.

Loading...